Researchers at Rice University on Monday made public a bug in Google Desktop Search that could let hackers secretly search the contents of a user's hard drive. Google, which was made aware of the flaw last month, has created a fix and is updating the software automatically as users connect to the Internet.
Dan Wallach, an assistant professor of computer science at Houston's Rice University, discovered the vulnerability with the help of two graduate students, Seth Fogarty and Seth Nielson. Wallach characterized the flaw as "serious," and said in an online advisory posted to the Computer Security Lab's Web site that an attacker would be able to read small pieces of files indexed by Google Desktop Search.
"If you had a file with a list of passwords, for example, an attacker might be able to read some of those passwords," said Wallach in the advisory.
The hacker, said Wallach, would most likely have to entice users to a Web site that hosted a malicious Java applet, but other scenarios -- including unsecured Wi-Fi connections, such as those in public hotspots -- might let the attacker inject the exploit into any Web page.
Google isn't the only search site that's pushing into desktop search. While it beat rivals to market by releasing the free-of-charge Desktop Search in mid-October, Microsoft, Yahoo, and Ask Jeeves recently released preview versions of similar tools or announced that they would debut tools shortly.